Beyond the Changelog
This article goes beyond the Changelog, and demonstrates the use of new osquery features in context.
The focus of this article is new features, so check out the changelog for the full changes.
Tables
socket_events
(macOS)screenlock
(macOS)chrome_extension_content_scripts
(All Platforms)docker_container_fs_changes
(POSIX)windows_security_center
(Windows)userassist
(Windows)hvci_status
(Windows)lxd
Series (Linux)socket_events
– macOSThe socket_events
table is now available on macOS in addition to the
previously supported Linux platforms.
This table provides auditing of system calls related to socket-based networking.
The OpenBSM system must be configured separately from osquery in order to
receive the events. The following configuration is placed in
/etc/security/audit_control
:
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:ex,pc,ap,aa,lo,ad,nt
flags:ex,pc,ap,aa,lo,ad
minfree:5
naflags:no
policy:cnt,argv,arge
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated
After setting the configuration, restart the computer.
Now run osquery with --disable_audit=false --audit_allow_sockets=true
(also
--disable_events=false
if using osqueryi
).
Output from the table looks like:
osquery> select * from socket_events;
action = connect
pid = 393
path = /Applications/Dropbox.app/Contents/MacOS/Dropbox
fd = 8a
auid = 501
success = 0
family = 2
local_address = 0
remote_address = 162.125.35.136
local_port = 0
remote_port = 443
time = 1587405089
uptime = 218
action = bind
pid = 725
path = /Applications/Docker.app/Contents/Resources/bin/com.docker.vpnkit
fd = 10
auid = 501
success = 1
family = 2
local_address = 0.0.0.0
remote_address = 0
local_port = 0
remote_port = 0
time = 1587405102
uptime = 231
action = bind
pid = 725
path = /Applications/Docker.app/Contents/Resources/bin/com.docker.vpnkit
fd = 11
auid = 501
success = 1
family = 2
local_address = 0.0.0.0
remote_address = 0
local_port = 0
remote_port = 0
time = 1587405102
uptime = 231
screenlock
– macOSThis table indicates whether the automatic macOS screenlock is enabled, and the grace period before which it activates. Only available on macOS 10.13+
osquery> SELECT * FROM screenlock;
+---------+--------------+
| enabled | grace_period |
+---------+--------------+
| 1 | 5 |
+---------+--------------+
chrome_extension_content_scripts
– All PlatformsThis table provides more detailed information about the execution of Javascript
from Chrome extensions. By joining to the chrome_extensions
table, we can
observe which URLs a given extension’s scripts will run on.
osquery> SELECT * FROM chrome_extensions JOIN chrome_extension_content_scripts USING (identifier) limit 5;
uid = 501
name = 1Password extension (desktop app required)
profile = Default Profile
identifier = aomjjhallfgjeglblehebfpbcfeobpgk
version = 4.7.5.90
description = Extends the 1Password app on your Mac or Windows PC, so you can fill and save passwords in your browser.
locale = en
update_url = https://clients2.google.com/service/update2/crx
author = AgileBits
persistent = 0
path = /Users/zwass/Library/Application Support/Google/Chrome/Default/Extensions/aomjjhallfgjeglblehebfpbcfeobpgk/4.7.5.90_0/
permissions = contextMenus, nativeMessaging, storage, tabs, webRequest, webRequestBlocking, http://*/*, https://*/*
optional_permissions =
uid =
version = 4.7.5.90
script = injected.min.js
match = http://*/*
uid = 501
name = 1Password extension (desktop app required)
profile = Default Profile
identifier = aomjjhallfgjeglblehebfpbcfeobpgk
version = 4.7.5.90
description = Extends the 1Password app on your Mac or Windows PC, so you can fill and save passwords in your browser.
locale = en
update_url = https://clients2.google.com/service/update2/crx
author = AgileBits
persistent = 0
path = /Users/zwass/Library/Application Support/Google/Chrome/Default/Extensions/aomjjhallfgjeglblehebfpbcfeobpgk/4.7.5.90_0/
permissions = contextMenus, nativeMessaging, storage, tabs, webRequest, webRequestBlocking, http://*/*, https://*/*
optional_permissions =
uid =
version = 4.7.5.90
script = injected.min.js
match = https://*/*
docker_container_fs_changes
– POSIXThis table provides a summary of the changes to a filesystem of a Docker container since creation.
Run a Docker container and modify some files:
docker run --rm -it alpine:latest sh
/ # touch foobar
/ # cat > /etc/passwd
tim tam
/ #
Select the changes using the ID of the running container:
osquery> SELECT * FROM docker_container_fs_changes WHERE id = '1c4ca72d3961eeb7cff53c02404f351bd4aabc3c133d46a34301dc5eaf1d498c';
id = 1c4ca72d3961eeb7cff53c02404f351bd4aabc3c133d46a34301dc5eaf1d498c
path = /etc
change_type = C
id = 1c4ca72d3961eeb7cff53c02404f351bd4aabc3c133d46a34301dc5eaf1d498c
path = /etc/passwd
change_type = C
id = 1c4ca72d3961eeb7cff53c02404f351bd4aabc3c133d46a34301dc5eaf1d498c
path = /foobar
change_type = A
id = 1c4ca72d3961eeb7cff53c02404f351bd4aabc3c133d46a34301dc5eaf1d498c
path = /root
change_type = C
id = 1c4ca72d3961eeb7cff53c02404f351bd4aabc3c133d46a34301dc5eaf1d498c
path = /root/.ash_history
change_type = A
How to interpret the data:
C
- ChangedA
- AddedD
- Deletedwindows_security_center
– WindowsThis table exposes information about the configuration of security products on Windows systems.
osquery> SELECT * FROM windows_security_center;
firewall = Error
autoupdate = Good
antivirus = Good
antispyware = Good
internet_settings = Good
windows_security_center_service = Good
user_account_control = Good
userassist
– WindowsUserAssist records the programs that have been executed on a Windows system. Try
using an ORDER BY
clause when querying this table to get a list of recently
opened applications.
osquery> SELECT * FROM userassist ORDER BY last_execution_time DESC LIMIT 3;
path = C:\Users\Public\Desktop\Firefox.lnk
last_execution_time = 1587170116
count = 2
sid = S-1-5-21-985353834-2318998755-1039042827-1001
path = {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe
last_execution_time = 1587170030
count = 162
sid = S-1-5-21-985353834-2318998755-1039042827-1001
path = {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe
last_execution_time = 1587169981
count = 108
sid = S-1-5-21-985353834-2318998755-1039042827-1001
hvci_status
– WindowsThis table provides the configuration status for Windows Device Guard HVCI protection.
osquery> select * from hvci_status;
version = 1.0
instance_identifier = 4ff40742-2649-41b8-bdd1-e80fad1cce80
vbs_status = UNKNOWN
code_integrity_policy_enforcement_status = UNKNOWN
umci_policy_status = UNKNOWN
lxd
Series – LinuxThis collection of new tables provides access to information about the LXD containerization technology running on a Linux host.
Configure osquery with the path of the LXD server socket. In our standard
Ubuntu18.04 installation this was sudo osqueryi
--lxd_socket=/var/snap/lxd/common/lxd/unix.socket
.
Available tables:
lxd_certificates
lxd_images
lxd_instances
lxd_cluster
lxd_instance_config
lxd_networks
lxd_cluster_members
lxd_instance_devices
lxd_storage_pools
osquery> select * from lxd_images;
id = 2cfc5a5567b8d74c0986f3d8a77a2a78e58fe22ea9abd2693112031f85afa1a1
architecture = x86_64
os = ubuntu
release = bionic
description = ubuntu 18.04 LTS amd64 (release) (20200407)
aliases =
filename = ubuntu-18.04-server-cloudimg-amd64-lxd.tar.xz
size = 187712276
auto_update = 1
cached = 1
public = 0
created_at = 2020-04-06T17:00:00-07:00
expires_at = 2023-04-25T17:00:00-07:00
uploaded_at = 2020-04-20T13:15:47.204996207-07:00
last_used_at = 2020-04-20T13:15:47.24795917-07:00
update_source_server = https://cloud-images.ubuntu.com/releases
update_source_protocol = simplestreams
update_source_certificate =
update_source_alias = 18.04
osquery> select * from lxd_instances;
name = first
status = Running
stateful = 0
ephemeral = 0
created_at = 2020-04-20T13:15:47.216058813-07:00
base_image = 2cfc5a5567b8d74c0986f3d8a77a2a78e58fe22ea9abd2693112031f85afa1a1
architecture = x86_64
os = ubuntu
description = Ubuntu 18.04 LTS server (20200407)
pid = 1686
processes = 24
osquery> select * from lxd_cluster;
server_name =
enabled = 0
member_config_entity = storage-pool
member_config_name = default
member_config_key = size
member_config_value =
member_config_description = "size" property for storage pool "default"
osquery> select * from lxd_instance_config where name = 'first';
name = first
key = image.architecture
value = amd64
name = first
key = image.description
value = ubuntu 18.04 LTS amd64 (release) (20200407)
name = first
key = image.label
value = release
name = first
key = image.os
value = ubuntu
name = first
key = image.release
value = bionic
name = first
key = image.serial
value = 20200407
name = first
key = image.type
value = squashfs
name = first
key = image.version
value = 18.04
name = first
key = volatile.base_image
value = 2cfc5a5567b8d74c0986f3d8a77a2a78e58fe22ea9abd2693112031f85afa1a1
name = first
key = volatile.eth0.host_name
value = vethaed27f98
name = first
key = volatile.eth0.hwaddr
value = 00:16:3e:81:b0:ef
name = first
key = volatile.idmap.base
value = 0
name = first
key = volatile.idmap.current
value = [{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]
name = first
key = volatile.idmap.next
value = [{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]
name = first
key = volatile.last_state.idmap
value = [{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]
name = first
key = volatile.last_state.power
value = RUNNING
osquery> select * from lxd_networks;
name = lxdbr0
type = bridge
managed = 1
ipv4_address = 10.116.236.1/24
ipv6_address = fd42:98e6:277e:e9ee::1/64
used_by = first
bytes_received = 5458
bytes_sent = 21474
packets_received = 60
packets_sent = 128
hwaddr = 2a:6a:bf:23:13:23
state = up
mtu = 1500
name = lo
type = loopback
managed = 0
ipv4_address =
ipv6_address =
used_by =
bytes_received = 14810
bytes_sent = 14810
packets_received = 151
packets_sent = 151
hwaddr =
state = up
mtu = 65536
name = enp0s3
type = physical
managed = 0
ipv4_address =
ipv6_address =
used_by =
bytes_received = 676991
bytes_sent = 59411
packets_received = 848
packets_sent = 481
hwaddr = 08:00:27:92:41:b5
state = up
mtu = 1500
osquery> select * from lxd_cluster_members;
server_name = none
url = https://0.0.0.0
database = 0
status = Offline
message = no heartbeat since 16m13.555443828s
osquery> select * from lxd_instance_devices where name = 'first';
name = first
device = eth0
device_type = nic
key = name
value = eth0
name = first
device = eth0
device_type = nic
key = network
value = lxdbr0
name = first
device = root
device_type = disk
key = path
value = /
name = first
device = root
device_type = disk
key = pool
value = default
osquery> select * from lxd_storage_pools;
name = default
driver = zfs
source = /var/snap/lxd/common/lxd/disks/default.img
size = 1GB
space_used = 367023104
space_total = 855638016
inodes_used = 0
inodes_total = 0